At USAA, cybersecurity is a ‘24/7 problem’

1of6Joe Arthur, executive director of information security engineering and cyber operations, speaks about the measures that USAA takes to keep the enterprise and customers secure at USAA's headquarters in San Antonio.Photo: Josie Norris /Staff photographer

2of6Gary McAlum, chief security officer at USAA, speaks about the measures that USAA takes to keep the firm and their customers secure at USAA's headquarters in San Antonio.Photo: Josie Norris /Staff photographer

Amid a raging cyber war, USAA’s cybersecurity experts must be on the defense at all times.

At the Cyber Threat Operations Center, located inside the bank’s headquarters in San Antonio, they are always monitoring attempts by cybercriminals to gain access. Teams focus on detecting threats, analyzing them, looking for vulnerabilities and reverse engineering malicious software. There’s someone on shift around the clock.

An electronic map on a wall in the center lights up with yellow arcs showing the millions of attacks against the firm on a daily basis. They come in from all over the world.

On a recent weekday, there were more than 12 million in a 24-hour period. Gary McAlum, chief security officer at USAA, said he’s seen that figure get up to 20 million.

“We look at security as a 24/7 problem,” he said. “The problem of cybersecurity never gets solved. It just changes and morphs continuously.”

Financial institutions have always been appealing targets for thieves, but the frequency and sophistication of cyberattacks has contributed to a sense of urgency. Hackers have unlimited times and resources, McAlum said. At USAA, “we live in a state of what I call healthy paranoia,” he added.

Along with financial implications, breaches can tarnish a company’s brand.

Staying safe online

Three tips from Gary McAlum for protecting yourself:

Be vigilant. If you’re not sure about an email, a text or a phone call, call your bank or organization. Be skeptical of giving out personal information to someone you don’t know.

Set up stronger authentication. If you can set up more measures than a user ID and a password, do so. Don’t use the same passwords for all accounts.

Limit what you share publicly on social media. It’s a key source of information for cybercriminals, and people should understand a platform’s privacy settings.

Read More

The average cost of cybercrime in the financial services sector was $18.28 million last year, according to a study by Accenture and Ponemon Institute. It was the highest figure among the 15 industries the groups looked at.

In a 2017 report, the U.S. Department of the Treasury listed cyberattacks as one of the main threats to the industry. “Financial firms are connected through complex, interconnected networks,” the authors wrote. “Disruptions to the operations of a key institution in the financial system could be transmitted through these networks and lead to a systemic crisis.”

Financial firms are getting better at preventing attacks, another report by Accenture found. They surveyed more than 800 security professionals from the financial services sector and found that companies stopped 81 percent of breaches between Feb. 1, 2017, and Jan. 31, 2018, compared with 66 percent for the 12 months prior to that time period.

However, more than 40 percent of breaches on average went unnoticed for over a week, they found.

“Financial services firms are converging to a level of mastery when it comes to the security status quo, including their cyber resilience and response readiness,” Chris Thompson, global security and resilience lead for financial services at Accenture Security, said in a news release. “But as business technology evolves, so too must cybersecurity. The new technologies that banks and insurers are embracing — including cloud, microservices, application programing interfaces, edge computing and blockchain — will create new security risks, especially as cyberattacks evolve in sophistication.”

USAA had a net worth of $30.6 billion and more than 12 million members last year, according to its annual Report to Members. The firm has the dual responsibility of protecting its enterprise, which includes employees, servers, mobile devices, computers, data and the supply chain, as well as its members and their digital interactions, McAlum said.

“You have to respect the threat because they have unlimited resources and every advantage,” he said. “If you ever think you're better than the threat, you get complacent and careless.”

The organization and other financial institutions see an assortment of attacks, from large-scale bot attacks to phishing sites to different kinds of malware, said Joe Arthur, USAA’s executive director of information security engineering and cyber operations. The firm does penetration testing, both standard tests and unannounced ones to see how employees respond to simulated attacks, and provides training for employees.

One of the six teams he leads focuses on threats that didn’t manage to get in, looking at who might be targeting the organization and how they can detect them.

“How do we understand the latest tactics and techniques that are out there that are used by attackers, and then how well-positioned are we to defend against that sort of attack?” Arthur said.

The biggest challenge on the consumer end is authentication, McAlum said.

The main way to verify someone’s identity currently is through knowledge-based authentication: People have to enter a user ID and a password and possibly answer a few security questions.

But McAlum believes that’s a risky model because of the number of data breaches that have occurred, and USAA is trying to shift more members to multifactor authentication. On the firm’s mobile app, people can use face and voice recognition and their thumbprint along with other information to log in.

USAA is also adding similar options to other parts of the organization, like their call center, McAlum said. If a member calls in, and depending on the type of transaction and whether they’re enrolled in multifactor authentication, the firm can send a one-time code to a phone on record.

“It’s not just knowledge, but it’s something that you have or something that you are,” McAlum said.

Experts also examine people’s behavior on the back end, monitoring transactions and looking for red flags. Phishing, where someone gets an email from a seemingly legitimate organization seeking personal information, is “rampant,” he said. It prompted USAA to add a specific format and security mark to its emails about six years ago, making it more difficult for hackers to forge.

Thieves try the same tactics over the phone with spoofing, and USAA is starting to see more attempts over text messages, where someone will get a text with a link, McAlum said. If the recipient clicks on it, they will generally either be taken to another location and asked to enter personal information, or in more serious cases it will download malicious software onto their device without their knowledge, he said.

In 2017, USAA prevented nearly $3.2 billion in fraud, according to the Report to Members.

Banks and financial institutions will continue to look for passive ways and new technologies to validate someone’s digital identity, McAlum said.

“Mobile devices can be seen as an extension of me: how I hold it, how I use it, how I secure it,” he said. “If you can gather enough information around that device, that can be used as a way to authenticate somebody online. There are technologies and techniques that allow us to tie devices to identities, and that's getting more robust.”

Madison Iszler covers manufacturing, technology and other business topics for the San Antonio Express-News.

Before joining the Express-News, Madison covered retail, small businesses and other topics at the Albany Times Union and worked on a project about Social Security disability benefits. She also worked as a general assignment reporter at the Raleigh News & Observer and wrote a two-part series about the state’s farm workers.